Application security, Vulnerability Management, Malware, Patch/Configuration Management, Endpoint/Device Security

ShadyPanda exploited Chrome, Edge browser extensions for 7 years

Hands of two people with mobile phones showing the chrome browser on one and microsoft edge on the other.

In what experts call one of the most advanced and long-running browser supply chain attacks they’ve seen, threat group ShadyPanda leveraged the auto-update mechanisms in Google Chrome and Microsoft Edge browsers to exploit the same vulnerability for seven years.

The campaign was first made public by Koi Security in a Dec. 1 blog post, in which the researchers said Chrome and Edge’s trusted update pipeline silently delivered the malware to users: no phishing or social engineering, just trusted extensions with quiet bumps that turned productivity tools into surveillance platforms.

“Not only are the technical aspects important, but so is the patience,” said Randoph Barr, chief information security officer at Cequence Security. “ShadyPanda demonstrated their commitment to long-term strategies by releasing clean extensions that garnered hundreds of thousands of installs, earning Google's 'Featured' and 'Verified' trust badges, and leveraging these badges through consistent updates years later. Their plan was simple: first, earn trust, then use it. And it worked.”

While Koi Security reported that China may have been involved, attribution is unconfirmed by law enforcement.

Here’s what is known: In 2023, the group went by developer names such as "nuggetsno15" and "Zhang." They shared more than 145 Chrome and Edge extensions that added tracking codes to eBay, Amazon, and Booking.com to help with affiliate fraud.

ShadyPanda changed its strategy again in early 2024 when it released a false productivity tool called Infinity V+ that sent users to trovi.com while also stealing cookies, reading what they typed in the search box, and profiling them in real time. This wasn’t smash-and-grab cybercrime; this was structured, scalable surveillance.

Cequence’s Barr said prior to these campaigns, ShadyPanda already had five legitimate extensions in the Chrome Web Store, including three published as far back as 2018. All were initially clean and even received Google’s trust indicators.

But in mid-2024, Barr said a quiet update transformed the Clean Master extension — which had more than 300,000 installs — into full remote code execution (RCE) frameworks. Every hour, the extensions pulled new instructions from attacker-controlled servers and executed arbitrary JavaScript with complete browser API access.

“The very auto-update mechanisms designed to keep users safe became the attack vector,” said Barr. “Chrome and Edge’s trusted update pipelines silently delivered malware with no phishing, no social engineering, and no user interaction. What were benign productivity tools suddenly became surveillance platforms.”


According to the Koi researchers, the next phase after Clean Master was a 4-million-user spyware operation that included five additional extensions from the same publisher, including WeTab with 3 million installs alone. These extensions are actively collecting every URL visited, search query, and mouse click — apparently transmitting data to servers in China.

John Carberry, solution sleuth at Xcape, Inc., said while there are suggestive patterns that might point to China, the public reports and Koi's findings don't offer definitive proof, so it's wise to consider the "China" angle unconfirmed.

“This long-running campaign underscores a significant failure in Google and Microsoft's vetting processes, highlighting the browser extension ecosystem as a major, unsecured software supply chain vulnerability,” said Carberry. “Though reports offer clues about a possible China connection, official attribution from law enforcement is still pending. Users should immediately review their installed extensions and remove any unnecessary ones, as the threat relies entirely on user trust. The seven-year success of ShadyPanda proves that the ultimate zero-day is simply waiting for the user to trust their browser.”

Or Eshed, co-founder and CEO of LayerX Security, said there are two dangerous assumptions with regard to browser extensions: the first is that they are harmless; and the second, that they stay static.

Eshed said while we often think of browser extensions as harmless little widgets that help us fix our spelling and find discount coupons, in practice, they are frequently granted extensive permissions to sensitive user data such as cookies, passwords, and browsing information, with very little oversight on their activity.

“The second false assumption is that browser extensions don’t change,” said Eshed. “In practice, extensions often go through ownership transfers, can be bought and sold, and can update their code at any time to add new hidden capabilities. This means that seemingly legitimate extensions can be turned rogue without the user's knowledge. That’s why static analysis of extensions is not enough, and users and enterprises need security tools that examine extension behavior in real-time.”

Cody Pierce, co-founder and CEO at Neon Cyber, added that the increase in malicious software add-ons, most notably Chrome Web Store extensions, is a strong indicator that the value of corporate or personal browsing activity, identities, and access to third-party SaaS tokens is a powerful ROI for attackers.

“Threat actors know that the browser is the operating system of business, and it's relatively easy to publish an extension to the Chrome Web Store,” said Pierce. “This creates an incentive to discover and exploit various activities for financial gain or initial access. The browser will remain a prime target for all kinds of clever attacks.“

Pierce offered four ways teams can defend against malicious Chrome extensions:

  • Enumerate all extensions currently installed across the enterprise.
  • Alert on new extension installations, including the permissions they grant.
  • Update or revise software usage policies to include third-party add-ons and train staff.
  • Include known malicious extension IDs in the organization's IoC or threat hunting playbooks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds